🛡ī¸
./Malfav.asm
Linkedin
  • 👋./Malfav.asm
    • 🕸ī¸Malfav Agenda
  • 🕷ī¸Malware Introduction
    • 💡What is Malware
      • 🌠FIN Malware
      • đŸĻ˜Cyber Gang Malware
        • 🕷ī¸Spiders Malware
      • đŸ•ĩī¸â€â™€ī¸Cyber Espionage Malware
      • 🍘Cyber Sabotage Malware
      • 🛴Rootkit
        • đŸĢšBootkit
    • đŸĻĢNations State APT
      • đŸ—¯ī¸APT
      • 🇮🇷Iran APT
      • 🇷đŸ‡ēRussian APT
      • 🇨đŸ‡ŗChines APT
      • 🇮đŸ‡ŗIndia APT
      • đŸ‡ĩ🇰Pakistan APT
      • đŸ‡ģđŸ‡ŗVietnamese APT
      • 🇰đŸ‡ĩNorth Korean APT
    • đŸĨ‹Mobile Malware
      • 📲Android Malware
        • 💰Commerical Android Malware
          • Common Android Spyware
        • 🧧Common Android Exploits
          • 0ī¸Common Android 0day
      • 📱IPHONE Malware
        • 🐚Common IPHONE Spyware
        • đŸ’ĨCommerical IPHONE Malware
        • đŸ’ŖCommon IPHONE Exploits
    • 📃Malicious Documents
      • 📨Excel Spreadsheets
      • đŸ—ŧPowerPoint Presentations
      • đŸ¤ēMicrosoft Office Documents
      • 📑PDF
      • 📄Other Document Formats
      • đŸŠŧCommon Techniques Used in Malicious Documents
    • 🏞ī¸Advanced Persistence Threat - APT
      • đŸĨ APT Groups
        • 🇨đŸ‡ŗMustang Panda
        • 🛕Mustard Tempest
        • 🇨đŸ‡ŗNaikon
        • đŸĒĄNEODYMIUM
        • 🇷đŸ‡ēNomadic Octopus
        • 🇮🇷OilRig
        • 🍊Orangeworm
        • 🇮đŸ‡ŗPatchwork
        • 🇨đŸ‡ŗPittyTiger
        • 🌏PLATINUM
        • 🇱🇧POLONIUM
        • đŸ‡ĩ🇹Poseidon Group
        • 🇹🇲PROMETHIUM
        • 🇨đŸ‡ŗPutter Panda
        • đŸĻRancor
        • 🇨đŸ‡ŗRocke
        • đŸĸRTM
        • 🇷đŸ‡ēSandworm Team
        • 🃏Scarlet Mimic
        • đŸ‡Ŧ🇱Scattered Spider
        • đŸ‡ĩ🇰SideCopy
        • 🇮đŸ‡ŗSidewinder
        • 🔕Silence
        • 🇮🇷Silent Librarian
        • đŸ‡ŗđŸ‡ŦSilverTerrier
        • 🐞Sowbug
        • 🔱Strider
        • 🇨đŸ‡ŗSuckfly
        • đŸĨƒTA2541
        • 🇨đŸ‡ŗTA459
        • đŸ’ŧTA505
        • 💰TA551
        • ☁ī¸TeamTNT
        • 🇷đŸ‡ēTEMP.Veles
        • đŸĻŗThe White Company
        • đŸ’ŗThreat Group-1314
        • đŸĢ“Threat Group-3390
        • 🇨đŸ‡ŗThreat Group-3390
        • đŸĻThrip
        • 🐈ToddyCat
        • 🐙Tonto Team
        • đŸ‡ĩ🇰Transparent Tribe
        • 🐠Tropic Trooper
        • đŸĸTurla
        • 🇮🇷UNC788
        • 🇱🇧Volatile Cedar
        • 🇨đŸ‡ŗVolt Typhoon
        • 🕊ī¸Whitefly
        • 🔘Windigo
        • đŸĒŊWindshift
        • 🇨đŸ‡ŗWinnti Group
        • đŸĨ€WIRTE
        • 🇷đŸ‡ēWizard Spider
        • đŸŽĒZIRCONIUM
      • 🏹APT's Software
        • 🐀3PARA RAT
        • 🐀4H RAT
        • ⚱ī¸AADInternals
        • đŸ”ģABK
        • ⚗ī¸AbstractEmu
        • đŸĒąACAD/Medre.A
        • 🇲🇰AcidRain
        • đŸŦAction RAT
  • 🐁OS Internal's
    • 🍩Suspicious API's
      • đŸĒ¨Process Information API's
      • 🧩Registry API's
      • 🔒Encryption API's
      • đŸ“¯Restore Point API's
      • 👾Exfiltration API's
      • đŸĻ‰Data Wiping API's
      • 📨Shadow Copy API's
      • đŸĒŧWhat is Malicious API's Functions
      • đŸŒĒī¸System Information API's
      • 🌀Network Information API's
  • đŸĒŸWindows Internal
    • 📡Windows Internal
      • đŸĻWhy Windows Internal ?
        • đŸĩī¸Process
        • đŸ§ĩThread
        • đŸĒ­Handle
        • 🌐Memory
        • â˜ĸī¸Ram
        • 🤖ROM
  • 👁ī¸â€đŸ—¨ī¸Malware Technique
    • 📓Malware Technique
    • đŸ’ĸObfuscation
      • đŸĻžAnti-Debugging Techniques
      • 🏗ī¸Instruction Substitution
      • 📔Code Obfuscation
      • đŸ“ĻCode Packing
      • 💈Polymorphism
      • đŸŒŦī¸Control Flow Obfuscation
      • đŸĒ…Data Obfuscation
      • 💅Metadata Obfuscation
      • đŸŽŖMetamorphism
      • ⛲Runtime Obfuscation
    • 🛌Persistence Mechanism
      • 🔰Registry Persistence Mechanism
      • 🗑ī¸Task Sch Persistence Mechanism
      • 📂Startup Folder
      • 🎋AppData Folder
      • đŸĒšTemp Folder
  • ⚔ī¸Malware Resources
    • đŸ‘ģMalware Resources
    • 🎇Malware Sample Resources
      • 🌡ī¸VirusShare
      • ♠ī¸MalShare
      • đŸšĨMalwareTraffic
      • 🚏Malware Bazaar
  • Malware Analysis Toolkit
    • 🧌Windows Malware Analysis Toolkit
      • 💉Common Online Malware Analysis Toolkit
        • 💎Joe Sandbox
        • đŸŽĒVT - VirusTotal
        • đŸ‘ŊThreat.Zone
        • đŸĻHybrid Analysis
        • đŸĻ„Any.run
        • đŸĨĢFilescan
      • đŸĨStatic Analysis Tools
        • 🍡Advance Static Analysis Tool
      • 💠Dynamic Analysis Tool
        • Advance Dynamic Analysis Tool
      • đŸĨœNetwork Analysis Tool
      • đŸĨŸString Dumpers Toolkit
        • 📏Strings
        • đŸĻžFloss
    • 📱Android Malware Analysis Toolkit
      • 🕹ī¸Static Analysis Toolkit
      • 💠Dynamic Analysis Toolkit
      • đŸĢ’Online Analysis Toolkit
    • 📱IPHONE Malware Analysis Toolkit
      • đŸĨĸStatic Analysis Toolkit
      • â™Ļī¸Dynamic Analysis Toolkit
    • đŸ’ģMAC OSX Malware Analysis Toolkit
      • đŸ“¯Static Analysis Toolkit
      • 🍭Dynamic Analysis Toolkit
      • đŸŒŦī¸Online Analysis Toolkit
  • Books and Guidelines
    • 🔋Books and Guidelines for Malware Analysis .
      • 🏋ī¸â€â™€ī¸Android Malware Analysis 101
      • đŸĨ–Common Anti-Forensics
      • đŸĻŖMemory Forensics GUI
      • đŸ“ŧAssembly for Malware Analyst
      • 💾Disk Image Forensics
      • ⚡Volatility Noob to Pro
  • 📋Malware Analysis Tips
    • 🖇ī¸Malware Analysis Tips
      • 🏮Memory Malware Analysis
      • 🐜Technique to Investigate Process
      • đŸ’ĨProcess Lists 1
      • đŸ’ĨProcess Lists 2
      • đŸ’ĨProcess Lists 3
  • đŸ§ŊIncident Response
    • đŸŗWhat is Incident Response
      • Incident Response Tools
      • Incident Response Toolkit
  • Technical Analysis Report
    • đŸĻŽTechnical Analysis Report
      • 🧲Stuxnet Memory Analysis
  • 🚨Rootkit Removal
    • 🤖Rootkit Removal
  • 🗜ī¸Antivirus Artifact
    • ã€Ŋī¸Antivirus Artifact
      • 🀄Antivirus Process Name
  • 🧠Malware Author Mindset
    • đŸ’ŊMalware Author Mindset
      • đŸĢHow Malware Author Terminate Antivirus Process during runtime ?
Powered by GitBook
On this page
  1. Malware Technique
  2. Persistence Mechanism

Registry Persistence Mechanism

Registry persistence mechanisms involve malware modifying the Windows Registry to ensure that it executes automatically whenever the system starts or a user logs in. Here are some common registry-based persistence techniques:

1. Run Keys

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run: Entries in this key execute every time any user logs into the system. This key is commonly used for persistent malware.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run: Similar to the above but specific to the currently logged-in user. Malware targeting this key will run only when that user logs in.

2. RunOnce Keys

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce: Entries here run once, and then they are removed from the registry. Malware may use this key to execute and then reinstall itself using another persistence mechanism.

3. Services

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services: Malware can create a new service or modify an existing one to run malicious code at system startup. This key contains information about all installed services.

4. Winlogon and Userinit

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon: Malware may modify the Userinit or Shell values to include its executable, ensuring it runs every time the user logs on.

    • Userinit: This value specifies the path of the executable to run at user login.

    • Shell: This value specifies the default shell executable (e.g., explorer.exe), and malware can replace or append its own executable.

5. Explorer Shell Extensions

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved: Malware may add entries to this key to integrate with the Windows shell, ensuring that its code is executed when the Explorer shell starts.

6. Startup Folder

  • Although technically not a registry key, malware can create shortcuts in the Startup folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) to run on user login. The Startup folder itself can be monitored or modified via registry settings.

7. Other Registry Locations

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run: Similar to Run keys, entries here will execute at startup or login.

Detection and Mitigation

  • Detection: Use tools like Regedit, Autoruns, or Sysinternals to inspect registry keys for suspicious entries. Look for unusual paths, executable names, or unknown entries.

  • Mitigation: Regularly audit registry keys for unauthorized changes, use endpoint protection software to detect and block malicious changes, and employ least privilege principles to limit the ability of malware to make changes.

Registry-based persistence is a common technique due to its ability to survive reboots and user logins, making it crucial to monitor and analyze registry changes for effective malware detection and removal.

PreviousPersistence MechanismNextTask Sch Persistence Mechanism

Last updated 10 months ago

👁ī¸â€đŸ—¨ī¸
🛌
🔰
Page cover image